This is the ninth in a series of videos and blogs speaking with both HPE and external subject matter experts on various aspects of hybrid cloud security. Today we speak with Martin Brown, chief security services strategist with vArmour, around the changing approaches to network security in a hybrid data center. Other videos in the series can be found by searching for the tagcloudsecinterviews.

As organizations move from a traditional data center, to a hybrid data center traversing both cloud and on-premise infrastructure, finding a solution to provide uniform network security policies across the whole environment is always near the top of the cloud architect’s to-do list. Recently I was able to spend some time with Martin Brown, chief security services strategist at vArmour, to discuss some of the aspects of securing the next generation network.

Martin started off by talking about the considerations that his customers are concerned with when moving from the physical world to the virtual world – the move is often led by a CIO who wants to be able to take advantage of the elasticity and flexibility of a cloud based environment, but often the business can quickly move ahead of where security wants it to be. It’s important to find the right balance between performance and security, and Martin sees things being slowed down in the security sphere so that the environment can be secured appropriately based upon the policy and data security needs - whether these are dictated by strict internal security requirements, or government and industry legislation.

Organizations are finding that they are moving from a physical environment, where security controls afforded good visibility and enforcement capabilities, into a virtual environment where often there is a lack of visibility, distributed security controls, and assurance. So often they will try and reuse existing security controls, and loop traffic through physical boxes in order to get some of this visibility back, but it’s not really utilizing the data center architecture in the way it was intended, and leads to increased latency and complexity.

Martin likened this to an elastic band – we expect our hybrid data centers to be elastic - they should be easy to orchestrate, controllable, and grow and contract with demand, just like an elastic band. But if you put a staple in the middle of the elastic band, it no longer expands and contracts with the same elasticity – and this is the problem that organizations are faced with when trying to retro fit legacy security controls into the software defined data center.

The discussion then moved on to the concept of software segmentation or micro segmentation. Traditional data centers are often very flat, open structures, with only a minimal level of separation. Once an intruder has made his way past the perimeter defenses, he will be able to perform lateral movement and move between systems of different levels of sensitivity, due to the lack of security controls.

Software segmentation, one of the key areas that vArmour offers solutions for, allows each individual workload to be separated into its own micro segment, applying security controls to the workload to determine who can access it, and what protocols or applications can be used. This prevents any lateral movement, but also allows the security policies to be used wherever the workload resides. Cloud allows you to work quickly, and using micro segmentation means that as new network services get published, the security policies are already there.

We finished the conversation with a look at some of the ways that vArmour and HPE are working together – firstly with a solution reference architecture for using vArmour on the HC380 hyperconverged platform. This allows customers using the HC380 platform to take advantage of the isolation and separation that micro segmentation offers, delivering layer 7 firewalling, full visibility, and deception capabilities that grow as the hyperconverged environment expands. Additionally vArmour has delivered integration with the HPE ArcSight SIEM platform, allowing customers to get visibility right from the edge to the core of the virtualized data center.

SimonLeech

Simon Leech is a Certified Information Systems Security Professional with a specialisation in Security Architecture (CISSP-ISSAP), Certified Information Security Manager (CISM), Certified in Risk and Information Systems Control (CRISC), Certified in Cloud Security Knowledge (CCSK) and working in the Worldwide Security Center of Excellence within HPE Pointnext Advisory and Professional Services. Simon is active on Twitter as @DigitalHeMan